Highlighted
Micro Focus Expert
Micro Focus Expert
570 views

(SM Support Tip): Working with mandatory parameter encryption in SM 9.50 and above

Since Service Manager 9.50, a set of parameters with authentication data is automatically encrypted at startup and sm.ini file updated (when not already encrypted).

The encryption key is stored in parameter smmasterkey parameter at the beginning of the sm.ini file, that is not to be updated manually.

 

This mechanismn is documented here: SM 9.52 Documentation > Randomly generated master keys

 

Note:

As all these parameters encrypted by smmasterkey relate to credentials, it is best practice to replace smmasterkey value by “<>” before sending sm.ini to external recipients without requirement to access the systems (i.e. Micro Focus support) for security reasons.

 

An encrypted parameter is identified in sm.ini by a asterix prefix.

 

Example of unencrypted parameter:

sqllogin:rdbmsuser/mypassword

 

Example of encrypted parameter:

*sqllogin:D51CB23B379C873CBA055FB9A3798375AC93D48BB8AE2CC773D7317E4715EAE7

 

However, there are two kinds of encrypted parameters:

 

smmasterkey mechanismn applies to following parameters and will be applied automatically

(see SM 9.52 Documentation > Encryption of configuration file settings😞

   changeencrkey  

   upgradeencralg  

   encryptionkey  

   sqllogin  

   ldapbindpass  

   smtppassword  

   keystorePass  

   truststorePass  

   ssl_trustedClientsPwd  

   idmsigningkey

 

All other parameters can by manually encrypted using the older encryptionkey mechanismn (see SM 9.52 Documentation > Startup parameter encryptionkey).

 

When working with sm.ini files on multiple SM application servers, this now generates requirements to the procedure of applying new sm.ini files i.e. at migration from older SM version to SM 9.50 or later.

We like to propose following procedure as best practice: 

  1. Prepare sm.ini template with all parameters of the set listed above unencrypted and without smmasterkey parameter
  2. Copy this sm.ini template to all SM application hosts and edit copy when hosts specific settings should be required
  3. Start up Service Manager and verify that all sm.ini files are encrypted now correctly.

 

Notes:

* As the smmasterkey parameter is generated randomly, the encrypted values of first kind are expected to differ on each  application host.

* As the parameters of the second type depend on encrpytionkey parameter, this can already by applied before to the sm.ini template or later. These parameters may be the same on each application host, when encryptionkey is the same.

 

When there is an issue with smmasterkey, we expect following message in the sm.log file: 

   RTE E EVP_CipherFinal_ex failed in desDecryptWithAES256CBC()

   RTE E [OPENSSL] error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt 

These messages appear at the very beginning of the session log or related to a specific parameter when its encrypted value cannot be decrypted.

Note: OpenSSL is also used by SM RTE like LDAP connection, and query hash processing, so similar error messages may also appear in such contexts.

Labels (2)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.